diff options
author | Andreas Geissler <andreas-geissler@telekom.de> | 2023-07-27 19:07:08 +0200 |
---|---|---|
committer | Andreas Geissler <andreas-geissler@telekom.de> | 2023-08-04 08:45:18 +0200 |
commit | d4f832dbaf2f190c5bed08aff3d56f9378a3d5f9 (patch) | |
tree | 33179a9572f4d4ed9261bf290b947cfeb1ad50c1 /kubernetes/common | |
parent | 7a34dfca27abc3a13f89ed8d6b87e4aa7be9613f (diff) |
[COMMON][SA] Add default role creation to ServiceAccount
Adds an option "createDefaultRoles" to create roles instead
of using the roles-wrapper
Issue-ID: OOM-3233
Change-Id: I03eb95b641034637fa218010025b2c452aba09d1
Signed-off-by: Andreas Geissler <andreas-geissler@telekom.de>
Diffstat (limited to 'kubernetes/common')
-rw-r--r-- | kubernetes/common/serviceAccount/Chart.yaml | 3 | ||||
-rw-r--r-- | kubernetes/common/serviceAccount/templates/role-binding.yaml | 4 | ||||
-rw-r--r-- | kubernetes/common/serviceAccount/templates/role.yaml | 107 | ||||
-rw-r--r-- | kubernetes/common/serviceAccount/values.yaml | 13 |
4 files changed, 122 insertions, 5 deletions
diff --git a/kubernetes/common/serviceAccount/Chart.yaml b/kubernetes/common/serviceAccount/Chart.yaml index f214dceeb8..7afd31f4d9 100644 --- a/kubernetes/common/serviceAccount/Chart.yaml +++ b/kubernetes/common/serviceAccount/Chart.yaml @@ -1,6 +1,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2023 Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,7 +18,7 @@ apiVersion: v2 description: Template used to create the right Service Accounts / Role / RoleBinding name: serviceAccount -version: 13.0.0 +version: 13.0.1 dependencies: - name: common diff --git a/kubernetes/common/serviceAccount/templates/role-binding.yaml b/kubernetes/common/serviceAccount/templates/role-binding.yaml index 7c272aecda..11593ccccb 100644 --- a/kubernetes/common/serviceAccount/templates/role-binding.yaml +++ b/kubernetes/common/serviceAccount/templates/role-binding.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2020 Orange +# Modifications Copyright © 2023 Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,7 +19,7 @@ {{- range $role_type := $dot.Values.roles }} {{/* retrieve the names for generic roles */}} {{ $name := printf "%s-%s" (include "common.release" $dot) $role_type }} -{{- if not (has $role_type $dot.Values.defaultRoles) }} +{{- if or (not (has $role_type $dot.Values.defaultRoles)) ($dot.Values.global.createDefaultRoles) ($dot.Values.createDefaultRoles) }} {{ $name = include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }} {{- end }} --- @@ -36,4 +37,3 @@ roleRef: name: {{ $name }} apiGroup: rbac.authorization.k8s.io {{- end }} - diff --git a/kubernetes/common/serviceAccount/templates/role.yaml b/kubernetes/common/serviceAccount/templates/role.yaml index 2055885f2a..1b686f521c 100644 --- a/kubernetes/common/serviceAccount/templates/role.yaml +++ b/kubernetes/common/serviceAccount/templates/role.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2020 Orange +# Modifications Copyright © 2023 Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -37,5 +38,111 @@ rules: verbs: - create {{- end }} +{{- else if or ($dot.Values.global.createDefaultRoles) ($dot.Values.createDefaultRoles) }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }} + namespace: {{ include "common.namespace" $dot }} +rules: +{{- if eq $role_type "read" }} +- apiGroups: + - "" # "" indicates the core API group + - apps + - batch + - extensions + resources: + - pods + - deployments + - deployments/status + - jobs + - jobs/status + - statefulsets + - replicasets + - replicasets/status + - daemonsets + verbs: + - get + - watch + - list +{{- else }} +{{- if eq $role_type "create" }} +- apiGroups: + - "" # "" indicates the core API group + - apps + - batch + - extensions + resources: + - pods + - deployments + - deployments/status + - jobs + - jobs/status + - statefulsets + - replicasets + - replicasets/status + - daemonsets + - secrets + - services + verbs: + - get + - watch + - list +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - statefulsets + - configmaps + verbs: + - patch +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - deployments + - secrets + - services + - pods + verbs: + - create +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - pods + - persistentvolumeclaims + - secrets + - deployments + - services + verbs: + - delete +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - pods/exec + verbs: + - create +- apiGroups: + - cert-manager.io + resources: + - certificates + verbs: + - create + - delete +{{- else }} +# if you don't match read or create, then you're not allowed to use API +# except to see basic information about yourself +- apiGroups: + - authorization.k8s.io + resources: + - selfsubjectaccessreviews + - selfsubjectrulesreviews + verbs: + - create +{{- end }} +{{- end }} {{- end }} {{- end }} diff --git a/kubernetes/common/serviceAccount/values.yaml b/kubernetes/common/serviceAccount/values.yaml index 22faeb6904..4c9f75f38d 100644 --- a/kubernetes/common/serviceAccount/values.yaml +++ b/kubernetes/common/serviceAccount/values.yaml @@ -1,4 +1,5 @@ # Copyright © 2020 Samsung Electronics +# Modifications Copyright © 2023 Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,13 +13,21 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Default roles will be created by roles wrapper -# It won't work if roles wrapper is disabled. +# Global flag to enable the creation of default roles instead of using +# common roles-wrapper +global: + createDefaultRoles: false + +# Default roles will be created by roles wrapper, +# if "createDefaultRoles=false" roles: - nothing # - read # - create +# Flag to enable the creation of default roles instead of using +# common roles-wrapper +createDefaultRoles: false defaultRoles: - nothing - read |